/**
*
* @param ValidatorState $state
* @return ValidatorState
*/
private function _calculatePolicyIntersection(ValidatorState $state)
{
// (i) If the valid_policy_tree is NULL, the intersection is NULL
if (!$state->hasValidPolicyTree()) {
return $state;
}
// (ii) If the valid_policy_tree is not NULL and
// the user-initial-policy-set is any-policy, the intersection
// is the entire valid_policy_tree
$initial_policies = $this->_config->policySet();
if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) {
return $state;
}
// (iii) If the valid_policy_tree is not NULL and the
// user-initial-policy-set is not any-policy, calculate
// the intersection of the valid_policy_tree and the
// user-initial-policy-set as follows
return $state->validPolicyTree()->calculateIntersection($state, $initial_policies);
}
/**
* Verify AC's signature and issuer's certification.
*
* @throws ACValidationException
* @return Certificate Certificate of the AC's issuer
*/
private function _verifyIssuer()
{
$path = $this->_config->issuerPath();
$config = PathValidationConfig::defaultConfig()->withMaxLength(count($path))->withDateTime($this->_config->evaluationTime());
try {
$issuer = $path->validate($this->_crypto, $config)->certificate();
} catch (PathValidationException $e) {
throw new ACValidationException("Failed to validate issuer PKC's certification path.", null, $e);
}
if (!$this->_ac->isIssuedBy($issuer)) {
throw new ACValidationException("Name mismatch of AC's issuer PKC.");
}
$pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
if (!$this->_ac->verify($this->_crypto, $pubkey_info)) {
throw new ACValidationException("Failed to verify signature.");
}
return $issuer;
}
/**
* Initialize variables according to RFC 5280 6.1.2.
*
* @link https://tools.ietf.org/html/rfc5280#section-6.1.2
* @param PathValidationConfig $config
* @param Certificate $trust_anchor Trust anchor certificate
* @param int $n Number of certificates in the certification path
* @return self
*/
public static function initialize(PathValidationConfig $config, Certificate $trust_anchor, $n)
{
$state = new self();
$state->_pathLength = $n;
$state->_index = 1;
$state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
$state->_permittedSubtrees = null;
$state->_excludedSubtrees = null;
$state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
$state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
$state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
$state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
$tbsCert = $trust_anchor->tbsCertificate();
$state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
$state->_workingPublicKeyParameters = self::getAlgorithmParameters($state->_workingPublicKey->algorithmIdentifier());
$state->_workingIssuerName = $tbsCert->issuer();
$state->_maxPathLength = $config->maxLength();
return $state;
}
